{ lib, pkgs, config,  ... }:
let
  port = 18013;
  turnPort = 18014;
  cfg = config.myServices.websites.tools.visio;
in {
  options.myServices.websites.tools.visio = {
    enable = lib.mkEnableOption "enable visio website";
  };

  config = lib.mkIf cfg.enable {
    networking.firewall.allowedTCPPorts = [ turnPort ];
    networking.firewall.allowedUDPPorts = [ turnPort ];
    services.galene = {
      enable = true;
      httpPort = port;
      insecure = true;
      # hack to bypass module's limitations
      dataDir = "/var/lib/galene/data -http localhost:${builtins.toString port} -turn :${builtins.toString turnPort}";
    };
    services.websites.env.tools.vhostConfs.visio = {
      certName    = "eldiron";
      addToCerts  = true;
      hosts       = ["visio.immae.eu" ];
      root        = null;
      extraConfig = [
        ''
          ProxyPass        /ws ws://localhost:${builtins.toString port}/ws
          ProxyPassReverse /ws ws://localhost:${builtins.toString port}/ws

          ProxyPass        / http://localhost:${builtins.toString port}/
          ProxyPassReverse / http://localhost:${builtins.toString port}/

          ProxyPreserveHost On
        ''
      ];
    };

  };
}